Impact of U.S. Government Shutdown on Cybersecurity: Feedback Friday

The failure of President Donald Trump and the Democratic Party to reach an agreement over funding for the controversial Mexico border wall has led to the longest government shutdown in US history.

The partial shutdown has resulted in many government employees not getting paid and many services becoming unavailable. In terms of cybersecurity, the shutdown has led to services such as NIST’s Computer Security Resource Center (CSRC) being suspended and the TLS certificates for over 130 .gov domains being allowed to expire.

Industry professionals have commented on these and other cybersecurity-related implications of the US government shutdown.

And the feedback begins…

Marc French, SVP, Chief Trust Officer, Mimecast:

“With the government shutdown dragging past the month mark, there is an element of cyber security that is not being talked about. The media focus has been around increasing criminal activity, non-renewed certificates and failed patching. What we aren’t talking about is the fact that there are ‘essential’ cyber professionals defending our country against these activities and that these professionals are at the vanguard of an evolving mental health crisis within the cyber career space.

I see many of my fellow cyber security professionals suffering from the stresses of constant response and succumbing to the pressures that afflict many other first responders. With this already impacting their daily lives, along comes the shutdown with the uncertainty of a future and the lack of steady income, and I can only imagine the number of these hard-working government folks who may reach their breaking point. What happens then? Folks exit the profession and with the current skills shortage, who is going to jump in to replace them? How are we going to defend our national institutions if no one is manning the desk or those who stay are potentially in a bad state?

I am not advocating for special treatment for these folks. What I am advocating for is that we, as a collective society, recognize the problem, treat these individuals like other first responders and invest in the treatments that they need to continue on in this profession. Without it, I fear that this shutdown could cause a long-term problem for a short-term budget issue.”

Chris Morales, head of security analytics, Vectra:

“Perhaps the biggest concern of the government shutdown is that this type of instability would hamper the federal government’s ability to attract and retain good cybersecurity talent. With the number of available roles in the private sector that pay with much more lucrative salaries and benefits, it’s going to just get harder for government agencies to compete. If anyone is in need of more automation and efficiency in security operations processes, it will be these federal agencies.”

Dave Weinstein, VP of threat research, Claroty:

“The most significant cybersecurity implication of the shutdown is not about operations or technology, but rather people. The U.S. government already suffers from a human capital deficit in what is a highly competitive marketplace for talent. It's hard enough to convince candidates to forfeit the fortunes of Silicon Valley in the name of public service. This shutdown, and those that have preceded on what seems like an annual basis, is yet another disincentive to join the federal workforce. With unemployment at an all-time low there are fewer and fewer reasons for promising graduates and even mid-career professionals to join the ranks of the furloughed and subject themselves to such uncertainty and volatility.”

John McCumber, Director of Cybersecurity Advocacy, North America, (ISC)2:

“The government’s shutdown may lead to longer-term challenges when it comes to the management of our national cybersecurity workforce. The Federal government is already facing an uphill battle in the recruiting competition against higher-paying private sector organizations and issues like this only serve to make it look like a less stable place to start a career.

It’s also troubling that something as critically important as the National Institute of Standards and Technology is considered non-essential during the shutdown. It highlights the concern that our priorities, mandates and corresponding actions need better alignment with today’s national security threats and vulnerabilities.”

Heather Paunet, Vice President of Product Management, Untangle:

“As cyber-attacks can spread quickly, it is vital for the government and the private sector to continue to share threat intelligence data, so an attack only occurs once. With only a skeleton crew at the helm, data sharing and rapid response can suffer, leaving our nation susceptible to cyber threats and attacks. The longer the government shutdown continues, the more opportunity there is for private and state-sponsored attackers to take advantage of any possible gaps in oversight.”

“The shutdown could greatly hinder the federal government’s ability to recruit top IT talent. In many cases, agencies are simply incapable of competing against private industry on salary alone. Coupled with a more complex recruiting process and security clearances that can last up to 18 months, the shutdown could be the tipping point for soon-to-be graduates who are pursuing careers in IT and cyber to join the private sector rather than the federal government, as it signals there could be far less stability for future jobs in the public sector. But data from the Office of Personnel Management shows that millennial talent is needed now more than ever before. In fact, the number of federal employees who are eligible to retire will rise to 30 percent within the next five years. This means that the existing cyber and IT talent gaps affecting the federal government will continue to widen if the federal government is unable to tap prospective candidates.

To overcome the workforce silos that will likely result from the shutdown, the onus will be on federal hiring managers to obtain direct hiring authority for mission-critical, IT and cyber roles, which helps mitigate one of the greatest challenges federal agencies face in the recruiting and hiring process: slow speeds. After I graduated from college, I interviewed for several jobs with the federal government, but due to the hiring process, which was incredibly slow, it resulted in a discouraging experience. Years later, this is still an ongoing challenge for the federal government and something that needs to be addressed before agencies can expect to compete with private industry. While it’s clear that in many cases, federal agencies are unable to match the salaries of their private sector counterparts, they will also need to get creative in the ways they showcase their unique brand, benefits and mission-focused work in their job listings.”

Franklyn Jones, CMO, Cequence Security:

“Aside from TLS certificates, the shutdown inevitably compromises the overall security of many government websites and leaves them far more vulnerable to attacks. For example, it creates a great opportunity for bad actors to launch automated bot attacks, testing previously stolen credentials to gain access to private accounts on government sites. Without having security staff fully focused on monitoring application traffic, analyzing potential attacks, and implementing a mitigation plan, the general public might suffer another unexpected consequence of Trump’s decision.”

“The cybersecurity issues raised around the government shutdown have largely focused on how government furloughs are impacting cybersecurity staffing levels and the security of government sites. However, there is a potentially more ominous risk brought about by the dislocation of 800,000 workers, who may be justifiably disgruntled or under serious financial duress.

These employees make prime targets for criminals and nation states seeking to access U.S. government networks and, ultimately, data, for several reasons. First, people in difficult life circumstances are more vulnerable to social engineering attacks designed to trick them into giving away their credentials, because they can be desperate for good news or job opportunities. Second, having thousands of employees under financial duress increases the likelihood of “pay for passwords.” Third, employees will undoubtedly seek employment elsewhere over time (in fact, we’re starting to see headlines about this already), which means they could be working for other organizations when the shutdown ends, while still having credentials to log into U.S. government infrastructure. And finally, disgruntled workers are among the most profound insider cybersecurity threats to their employers, and every day of the shutdown stands to increase the population of disgruntled workers.

These factors have the potential to create an identity management nightmare for government security teams, which are operating with skeleton staffs (that is, if they have anyone at the identity helm to begin with). Automated preventative and protective identity and access management (IAM) controls come into play here, because they quickly let security staff know who has access to what (and how they’re using that access). An advanced intelligent, risk-based authentication technology can monitor activity and detect anomalous behavior. Federal agencies that don’t have strong, automated IAM solutions and processes in place may want to consider disabling furloughed workers’ access completely. If this isn’t an option, security pros who are working during the shutdown should stay extra vigilant, so they’re able to immediately identify and act on unauthorized network and data access.”

Tim Callan, Senior Fellow, Sectigo:

“IT systems of all types depend on digital certificates to continue operating safely. That includes not only websites, but also the internal computing applications that keep our government agencies running. Certificates are essential to information flow, financial transactions, operations involving citizens’ personally identifiable information (PII), healthcare, utilities, transportation, and defense. Without active certificates, all these government functions would be in jeopardy of shutting down.

Because a large agency might be using thousands of certificates, they require continual monitoring and care to ensure certificate expirations don’t create outages or data breaches. December’s widespread outage in service for O2, Softbank, and other major cellular carriers, shows the damage that unaddressed certificate expirations can cause. Reports of expirations in agencies such as NASA, the US Department of Justice, and the Court of Appeals, emphasize the seriousness of this possibility.

Certificate automation and management is one way organizations can defend against this kind of risk. The technology can monitor and automatically replace expiring certificates, give visibility into the certificates in use, and even discover new certificates before an unexpected expiration can cause a problem - reducing the risk of lost revenue or data and financial penalties for outages or security breaches.”

Andy Norton, director of threat intelligence, Lastline:

“During a government shutdown, infrastructure is sitting unpatched and alerts are going uninvestigated – true. But it’s not just the risk of a successful intrusion that is increased. The impact from potential attacks are also heightened.

In fact, victims of identity theft during the shutdown are being adversely affected. The federal government’s one-stop resource for identity theft victims, IdentityTheft.gov, has been shut down. This site typically provides streamlined checklists and sample letters to guide victims through a recovery process, and because it’s not operational at this time, it’s a disaster for victims.

In addition, access to best practice systems on what to do when you detected identity theft has also been shutdown. Victims of identity theft are currently not even able to report an attack at https://www.ftccomplaintassistant.gov/. People are basically helpless in reporting identity theft during this time. ”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.